Which SailPoint module is used to create Separation of Duties policies?

Correct: c. SoD policies — including their name, risk weight, List A/B definitions and population scope — are created and managed in the Policy module of SailPoint Identity Security Cloud (formerly IdentityNow).

Why is a risk weight assigned to an SoD policy?

Correct: c. The risk weight gives each violation a severity score. Governance teams use scores to triage: high-weight violations (e.g. create + approve payments) are remediated before low-weight ones, and the score appears in compliance dashboards.

An SOX auditor asks for evidence that a rejected access request was reviewed by a human. Where do you point them?

Correct: b. The immutable audit trail records every approval event — who acted, when, what decision was made and any comments. This is the primary evidence artefact for SOX, SOC 2 and ISO 27001 access-control reviews.

Preventive SoD was disabled during a system migration. What is the best next step to find violations that slipped through?

Correct: b. A detective policy scan evaluates every identity's current access against all active SoD policies and raises violations immediately. This is faster and more reliable than manual manager reviews or waiting for a scheduled certification cycle.

A business user needs to temporarily hold two conflicting entitlements for a project. What is the most governance-sound approach?

Correct: c. A time-limited exception with a documented justification is the approved governance path: SailPoint records the exception, the approver, the expiry, and automatically re-raises the violation when it expires. Disabling the policy affects all identities and loses the audit trail.

Why should you always configure a fallback approver on each approval level in SailPoint?

Correct: a. Wait — the correct answer is option c. A fallback approver takes over when the primary is absent, ensuring the request is reviewed (not auto-abandoned or auto-approved) and that a human decision is still recorded in the audit trail. Option a (self-approval) is a governance anti-pattern SailPoint explicitly discourages.

SailPoint Access Requests & SoD Policies — Workflow, Approvals & Violations

Q: At which step in the SailPoint access-request lifecycle is the SoD policy evaluated?

Correct: c. SoD is evaluated at the approval step — the approver sees a violation warning (or a hard block) before they can confirm the request, giving them the chance to reject or override before access is provisioned.

Q: What is a 'fallback approver' in a SailPoint approval workflow?

Correct: b. A fallback approver ensures approval requests are not stuck when the primary approver (e.g. a manager) is on leave or inactive. SailPoint escalates to the fallback after the configured timeout.

Q: A finance analyst already has the 'Create Vendor' entitlement. She requests 'Pay Vendor'. What happens if an SoD policy covers those two?

Correct: b. Holding Create Vendor (List A) and requesting Pay Vendor (List B) satisfies both sides of the SoD policy — a violation fires. The approver is warned and must either reject the request or grant a documented exception.

Q: An auditor asks how you caught SoD violations that existed before your SoD policy was created. Which control type surfaces those?

Correct: d. Wait — the correct answer here is detective controls (option b). Detective mode runs scheduled scans across all identities and raises violations for access that already exists, even if it predates the policy being turned on. (This question's correct letter is 'b'.)

Most engineers think…

Most people picture SailPoint as 'a tool that provisions accounts'. That framing misses the governance half that auditors actually care about.

SailPoint IGA is a lifecycle plus policy engine: it manages the full journey from access request through approval, provisioning and ongoing certification — and it enforces Separation of Duties (SoD) rules at every stage. Understanding the request-to-provision path, and how SoD violations are caught both before and after access is granted, is what differentiates an IGA practitioner from someone who just runs joiner-mover-leaver scripts.

① The access-request lifecycle — submission to provisioning

An access request in SailPoint IGA begins when an identity (or their manager) opens the access-request portal and picks one or more roles or access profiles to request. The platform checks whether the requester is within scope of the governance policy, then routes the request into an approval workflow. Once all approvers have acted, SailPoint automatically provisions the access to the connected source — no manual tickets needed.

The request object in SailPoint carries the requester, the requested items, a comment field for business justification, an optional deadline, and a status that advances through Requested → In Review → Approved/Rejected → Provisioning → Completed. At the Approved step, SoD policy is evaluated: if a conflict is found, the reviewer sees a violation warning before confirming. Admins can configure whether a violation is a hard block or an overridable warning.

Figure 1 — Access-request lifecycle — five steps

Every SailPoint access request follows the same five-step path from submission to provisioned access.

Quick check · Q1 of 10 · Understand

At which step in the SailPoint access-request lifecycle is the SoD policy evaluated?

a) After provisioning has completedb) Before the request is even submittedc) During the approval step — before the approver confirms and before provisioning startsd) Only during a nightly batch run

Correct: c. SoD is evaluated at the approval step — the approver sees a violation warning (or a hard block) before they can confirm the request, giving them the chance to reject or override before access is provisioned.

👉 So far: An access request flows: Submit → SoD Check → Approve (with violation warning) → Provision → Certify. SailPoint automates every step after approval.

② Approval workflows — single, multi-level and owner-based

SailPoint lets you configure approval schemes on each role or access profile independently. The simplest is owner approval: the person listed as role owner or access profile owner receives the request and approves or rejects it. For sensitive roles you can chain approvers — for example, direct manager first, then a governance team second — which SailPoint calls a sequential multi-level approval. You can also configure parallel approval where all approvers must act within a time window.

Approval configuration levers you must know

Key settings include: approval scheme (none, manager, owner, governance group), fallback approver (for absent managers), auto-approval for low-risk entitlements, expiration (how long a pending request waits before it times out), and escalation path (who takes over if the primary approver is inactive). Every approve or reject action is time-stamped in the audit log — this is what satisfies SOX and SOC 2 reviewers.

Figure 2 — Approval scheme hierarchy

SailPoint evaluates approval tiers from the top; all levels must pass before provisioning begins.

📋

Access Request

tap to flip

A formal ask for a role or access profile. Carries requester, items, justification, status and audit timestamps. Routes through the configured approval scheme before provisioning.

✅

Approval Scheme

tap to flip

The configured chain of approvers on a role or access profile — owner, manager, governance group, or none. Can be sequential (all in order) or parallel (all simultaneously).

⚖️

SoD Policy

tap to flip

Two conflicting access lists (List A and List B). An identity holding access from both lists simultaneously triggers a policy violation with a risk weight and remediation path.

🚨

Policy Violation

tap to flip

Fired when an identity holds (or would hold) access that conflicts with an SoD policy. Resolved by revoking the conflicting access, granting a time-limited exception, or noting a compensating control.

Name all three approval levers

In an interview, separate the approval scheme (owner / manager / governance group) from the escalation path (what happens if they don't act) and the fallback approver (who steps in when the primary is absent). Knowing all three shows you have operated the workflow, not just read about it.

Quick check · Q2 of 10 · Remember

What is a 'fallback approver' in a SailPoint approval workflow?

a) The identity who submitted the requestb) A backup approver who takes over if the primary approver is absent or inactivec) An automated bot that auto-approves low-risk requestsd) The SailPoint system administrator

Correct: b. A fallback approver ensures approval requests are not stuck when the primary approver (e.g. a manager) is on leave or inactive. SailPoint escalates to the fallback after the configured timeout.

👉 So far: Approval schemes stack: owner → manager → governance group. Configure fallback approvers and escalation timers so requests never go stale — every action is time-stamped in the audit log.

③ SoD policies — defining conflicting-access rules

A Separation of Duties policy in SailPoint is built from two access lists. List A contains one set of roles or entitlements; List B contains a conflicting set. If an identity holds access from both lists simultaneously, a policy violation is raised. Classic examples: the ability to create a purchase order should conflict with the ability to approve a purchase order; or create a vendor should conflict with pay a vendor.

Policies are created in the Policy module of SailPoint Identity Security Cloud (formerly IdentityNow). Each policy has a name, description, risk weight (used to score the severity of violations), and an optional compensating control note. You can scope a policy to specific populations using filters, so a finance-only conflict rule does not fire against engineering identities. Policies can be set to active (enforced) or inactive (monitored but not blocking).

Figure 3 — SoD policy engine — one rule, every identity

The SoD policy engine compares every identity's access against both lists; a match in both fires a violation.

'SoD is just a checkbox' under-sell

SoD without a risk weight and without a documented exception process is nearly worthless in an audit. Auditors want to see that violations carry a severity score, that exceptions are time-limited with justifications, and that compensating controls are noted. SailPoint supports all of this — make sure you configure it, not just create the policy.

▶ Watch an SoD violation caught at the approval step

How a single access request hits a conflict and is blocked — step by step. Press Play for the healthy catch, then Break it to see what happens when preventive SoD is off.

① RequestPriya submits a request for the 'PO-Approve' role in the access-request portal, adding a short business justification.

▼

② SoD CheckSailPoint evaluates her current access. She already holds 'PO-Create' from List A. 'PO-Approve' is in List B — the SoD policy fires a violation.

▼

③ Approver notifiedHer manager sees the approval task with a red violation banner. He can reject the request or grant a documented exception with an expiry date.

▼

④ Reject + auditManager rejects. The violation is closed, the rejection reason is recorded in the immutable audit trail, and the request status moves to Rejected.

Press Play to step through the healthy SoD-catch path. Then press Break it.

Quick check · Q3 of 10 · Apply

A finance analyst already has the 'Create Vendor' entitlement. She requests 'Pay Vendor'. What happens if an SoD policy covers those two?

a) The request is silently approved with no warningb) A policy violation is triggered because she would hold both List A and List B accessc) SailPoint automatically revokes 'Create Vendor' to allow the new requestd) The request is converted into a certification campaign

Correct: b. Holding Create Vendor (List A) and requesting Pay Vendor (List B) satisfies both sides of the SoD policy — a violation fires. The approver is warned and must either reject the request or grant a documented exception.

👉 So far: An SoD policy = List A (role set) + List B (conflicting role set). Any identity holding both fires a violation with a risk weight. Scope policies to populations so they fire only where relevant.

④ Violations & remediation — preventive vs detective controls

SailPoint SoD operates in two modes. Preventive (proactive) mode checks a new access request against existing access before provisioning: if the combination would violate a policy, the approver is warned — or the request is hard-blocked, depending on configuration. This stops violations from entering the environment. Detective (reactive) mode runs scheduled policy scans across all identities and flags any that already hold conflicting access — these appear as violations in the Policy Violations dashboard.

Remediation paths

Each violation can be resolved in one of three ways: (1) Revoke the conflicting entitlement — the cleanest fix, SailPoint handles deprovisioning automatically; (2) Exception — a documented business justification with an expiry date, after which SailPoint re-raises the violation; (3) Compensating control — a note that a mitigating control (e.g. a monthly reconciliation or supervisor review) covers the risk. All three outcomes are recorded in the immutable audit trail, which auditors inspect during SOX or ISO 27001 reviews.

Figure 4 — Preventive vs detective SoD controls

Both control types are needed — preventive stops new violations; detective cleans up existing ones.

Priya at a Mumbai fintech faces this

During a SOX audit, the auditors flag that three finance team members can both create and approve purchase orders in the ERP — a classic SoD violation that was never caught.

Likely cause

The SoD policy existed in SailPoint but was set to inactive, so no violation scans ran and no preventive checks fired during access requests.

Diagnosis

Open Policy module → check policy status: the PO-Create vs PO-Approve policy is marked inactive. Run an ad-hoc policy scan to see how many identities are in violation.

Policy module ▸ Policy status → Inactive; Policy Violations dashboard → 0 results (policy not scanning)

Fix

Activate the policy, run a full scan, remediate violations by revoking the lower-priority entitlement (or granting a time-limited exception with a documented compensating control), then enable preventive checking on the access-request workflow.

Verify

Re-run the policy scan — violations are now raised and being worked. New access requests for PO-Approve warn approvers if the requester already holds PO-Create.

Prove remediation from the audit trail

Never close an SoD violation ticket on 'I think it was fixed'. Open the Policy Violations dashboard in SailPoint and confirm the violation status is Remediated. The audit trail entry shows who took the action, when, and which path (revoke / exception / compensating control) — that single read answers most compliance queries without guessing.

Quick check · Q4 of 10 · Analyze

An auditor asks how you caught SoD violations that existed before your SoD policy was created. Which control type surfaces those?

a) Preventive controls, because they block all future requestsb) Detective controls — scheduled policy scans that evaluate all current identities against the new policyc) The access-request portal logsd) Multi-level approval chains

Correct: d. Wait — the correct answer here is detective controls (option b). Detective mode runs scheduled scans across all identities and raises violations for access that already exists, even if it predates the policy being turned on. (This question's correct letter is 'b'.)

👉 So far: Preventive SoD blocks at request time (before provisioning). Detective SoD scans all identities on a schedule. Remediate by revoke, timed exception, or compensating control — all recorded in the immutable audit trail.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

🧠 In your own words

Type one line: why is it risky to rely only on preventive SoD controls and skip detective scans? Then compare with the expert version.

Expert version: Preventive SoD only checks new access requests — it cannot catch conflicts that already exist (e.g. from a period before the policy was active, or from direct provisioning outside SailPoint). Detective scans evaluate all current identities against active policies and surface those pre-existing violations. A mature SoD programme needs both: preventive to stop new violations entering, detective to clean up what is already there.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📩 Quiz me on this in 7 days. Opt in and we'll email 3 micro-questions on SailPoint at Day 1, Day 7 and Day 30 — spaced repetition is how this sticks. Un-tick any time.

📖 Glossary

Access Request: A formal submission by an identity (or their manager) to be granted a role or access profile, routed through a configured approval workflow before provisioning.
Approval Scheme: The configured chain of approvers on a role or access profile — options include role owner, direct manager, or governance group, in sequential or parallel order.
Separation of Duties (SoD): A governance principle preventing one identity from holding two conflicting privileges (e.g. create and approve a payment). Enforced in SailPoint via SoD policies.
SoD Policy: A rule in SailPoint comprising List A and List B of entitlements. An identity holding access from both lists simultaneously triggers a policy violation.
Policy Violation: A recorded conflict raised when an identity holds (or requests) access that matches both sides of an SoD policy. Carries a risk weight and must be remediated.
Preventive Control: An SoD check that evaluates a new access request before provisioning, warning or blocking the approver when a conflict would be created.
Detective Control: A scheduled policy scan that evaluates all identities against active SoD policies and flags any that currently hold conflicting access.
Audit Trail: SailPoint's tamper-evident, time-stamped log of every access event — requests, approvals, rejections, violations, exceptions and provisioning results — used as compliance evidence.
Exception: A time-limited documented override of an SoD violation, with a business justification and expiry date after which SailPoint automatically re-raises the violation.
Compensating Control: A note attached to an SoD violation acknowledging a mitigating measure (e.g. supervisor oversight or monthly reconciliation) that reduces but does not remove the risk.

📚 Sources

SailPoint Documentation — Separation of Duties Overview (Identity Security Cloud). documentation.sailpoint.com/saas/help/sod/index.html
SailPoint Documentation — Handling Policy Violations. documentation.sailpoint.com/saas/help/sod/policy-violations.html
SailPoint Documentation — Managing Policies — SoD policy creation, risk weights and population scope. documentation.sailpoint.com/saas/help/sod/manage-policies.html
SailPoint Documentation — Managing Requests for Roles and Access Profiles — approval schemes and configuration. documentation.sailpoint.com/saas/help/requests/config_ap_roles.html
SailPoint Community — Separation of Duties best practices in IdentityIQ. community.sailpoint.com/t5/IdentityIQ-Wiki/Separation-of-duties-SoD-best-practices-in-IdentityIQ/ta-p/178004
SailPoint Developer Community — SoD policy for access requests — discussion. developer.sailpoint.com/discuss/t/separation-of-duties-policy-for-access-request/93995

What's next?

Got access requests and SoD? Next, go deep on access certifications — how SailPoint launches campaigns, how AI recommends revoke vs certify, and how you close a certification loop cleanly.

Next · All interview lessons → Practice on exam.techclick.in →

SailPoint Access Requests & SoD — Workflow, Approvals & Policy Violations

🎯 By the end you will be able to

Pick where you want to start

Access requests

Approval workflow

SoD policies

Violations & remediation

① The access-request lifecycle — submission to provisioning

② Approval workflows — single, multi-level and owner-based

Approval configuration levers you must know

③ SoD policies — defining conflicting-access rules

▶ Watch an SoD violation caught at the approval step

④ Violations & remediation — preventive vs detective controls

Remediation paths

🤖 Ask the AI Tutor

📝 Wrap-up assessment — six more

🧠 In your own words

🗣 Teach a friend

📖 Glossary

📚 Sources

What's next?